Verifying windows binary on initial download

jakedn · December 22, 2023, 4:17pm

Hello Everyone,

Background:

I have used syncthing for around a year on many of my devices.
I am returning to windows and wanted to install the base syncthing; this is where i ran into an issue verifying the downloaded binary.
I couldn’t find a similar question on the forum other then this one, but the solution points to the security page which is a broken link. That solution also seems to use gpg and I rather use the stsigntool if that is a possibility.

What i did:

read the release signing page
Download v1.27.1 base for windows (amd64)
Extract files; open terminal in the new extracted folder
I previously installed go and the stsigntool from syncthing’s github repository
ran this command:
```
stsigntool verify ./metadata/release.sig ./syncthing.exe
```
which returned
```
incorrect signature
```
Note there is no syncthing.exe.sig file like the release signing page suggests.

I downloaded and ran the above commands on a mac; i plan to verify on mac and then move the binary to my windows laptop.

I am looking for help on what I missed:

Did i understand the signing page correctly?
Where is the syncthing.exe.sig file?

calmh · December 22, 2023, 4:44pm

It’s at https://syncthing.net/security/ nowadays. The process described there should work now, as it did then.

The signing mechanism evolved slightly (several years ago), and stsigtool wasn’t updated to check signatures according to the new format, unfortunately. The signature file is the one you found, metadata/release.sig, but it’s no longer a straight signature of just the bytes in the exe file. We’d need to update stsigtool to process the archive itself for it to be easy to use. The old-style exe-only signature was removed (also years ago) because it was no longer used by anything…

system · January 21, 2024, 4:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.